08/20/18: CMD/Miner JSP Shell

Threat Summary

Overview

This JSP shell provides the functionality of command execution. When the shell has been uploaded to the target server, an attacker can make requests to the shell using the HTTP parameter ‘cmd=’ to execute OS commands. The second feature of this shell is the download and execution of a crypto miner. This will occur if an attacker sends a request with no value in the ‘cmd=’ parameter.

Exploitation

Stages

An attacker uploads the JSP shell via a vulnerability or misconfigured application.

The server response indicates a successful upload.

An attacker can send a request to the shell with the HTTP parameter ‘cmd=’. This parameter can contain an OS command or no value.

If the request parameter contains a command, the server will respond with the results.

If the parameter does not contain a value, the server will send a curl request to an external server to download a crypto miner and execute it.

Prerequisites

The attacker must have exploited some other entry vector to allow the malicious files to become resident on the victim machine.

Alert Logic Coverage

Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.

The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.

Recommendations for Mitigation

Ensure that all public internet-facing hosts have available patches applied and are sufficiently hardened for public access.